Australia’s Medibank Health Insurance Data Held For Ransom, 200GB Of Medical Records Stolen
Cyber security woes for major Australian firms continue as health insurance giant Medibank suffered a data breach that saw 200GB of medical records stolen by a hacker and held for ransom.
The company misidentified the attack as involving ransomware, but it appears to have been a matter of data exfiltration. The amount of the ransom remains unknown; the hacker has leaked around 100 records containing an assortment of information that reportedly includes medical conditions and addiction treatment records.
Contact and medical information stolen in Medibank health insurance hack
With around 3.7 million customers and a market share of around 27%, Medibank is the largest health insurance provider in Australia. The company had its trading halted by the Australian Securities Exchange on Wednesday the 19th after the hacker contacted the company privately, claimed to have 200GB of stolen data, and provided a sample of around 100 customer policies to confirm the attack was legitimate.
The customer’s health insurance policies contain a selection of personal contact information: full names, home addresses, dates of birth and telephone numbers, as a minimum. More worrying for Australians is the inclusion of National Health Service Identification Numbers, just weeks after major telecommunications provider Optus was breached. The loss of national identification numbers in that attack caused a backlog at government agencies as many people lined up to have their numbers changed.
The worst thing about the Medibank breach is that in some cases medical records are among the health insurance policies. As part of the shakedown, the thieves named around 1,000 high-profile or vulnerable people for whom they claim to have medical records, ranging from politicians and celebrities to LGBTQ activists and people with substance abuse problems.
Cybersecurity Minister Clare O’Neil mischaracterized the Medibank breach as a ransomware attack; her office later clarified that the data was stolen without the deployment of ransomware, which the health insurance giant confirmed. The attack did not disrupt the company’s day-to-day operations (except for the trading halt), but it remains unknown how many customers’ contact information or medical records were exposed.
Australians dealing with mass exposure of telephone services and medical records
There has yet to be any official confirmation, but some reporting indicates that Medibank’s medical records were stolen from a budget provider called “ahm” (formerly Australian Health Management) which offers cheaper policies; the data may be obtained from the department that handles health insurance for international students. International students are required by law to obtain a private policy when they come to Australia to study. ahm reportedly has information on one million of the company’s health insurance customers in its system.
Medibank has responded to the breach by adding staff to its customer support lines. The company has said that potentially affected customers should call 13 23 31 if they have health insurance with Medibank or 13 42 46 if they have a policy with ahm. The company’s CEO David Koczkar also issued a formal apology for the breach.
Since the end of September, Australian companies have been under something of a sustained cyber siege. It is unclear whether this is a coincidence, or whether interest in the country is increasing for some reason; in late September, the Australian Cyber Security Center issued a warning about a campaign by Iranian state-backed hackers targeting critical infrastructure, but there are currently no links between that campaign and the attacks on Optus and Medibank.
Optus and Medibank are two of the biggest companies to have been hit in this latest spate of crimes, but they are far from the only recognizable corporate names to have been attacked and lost large amounts of personal data. Since the beginning of October, the large company Telstra was also hit and information about tens of thousands of current and former employees was stolen. Woolworths, a leading grocery chain in the country, also experienced a breach of its online shopping site MyDeal that exposed the contact details of up to 2.2 million customers. And online wine seller Vinomofo was also hit for potentially half a million customer records.
The spate of crimes has prompted action by the Australian government to improve security, putting forward new rules that will require the country’s banks to act quickly when news of data breaches that expose personal information break. This is one of the main fears about the health insurance information that was revealed; if it’s leaked to the public, fraudsters will be quick to try to use it for identity theft and account takeovers. The problem is only exacerbated by the presence of medical records, which can be used both to make fraud attempts more convincing or to blackmail victims.
Neena Sharma, senior strategist at Clavister, sees a need for companies to go further even though government regulations do not specify security improvements: “The data breach that Medibank is suffering is concerning, especially after the Optus cyber attack that also hit Australia just a few weeks ago. Highly sensitive personal information was accessed by the hackers, raising concerns about adequate online protection. Companies and industries that have large amounts of sensitive consumer data, such as health insurance companies, the transportation sector and the banking sector, need to invest better in protecting technologies to prevent hackers from gaining access to personal information. Cloud security measures are essential to ensure stronger protection against cybercriminals. The cybersecurity industry is working toward a “passwordless” future because passwords are easily guessed or hacked by cybercriminals. Solutions such as authentication apps, multi-factor authentication or single sign-on can ensure greater protection against cyber attacks. Alongside no passwords, companies must also strive for a zero-trust approach to security where users are continuously verified when trying to access applications or resources. Cloud security solutions can also limit the impact and scope of potential data breaches. Beyond the individual level, organizations and public bodies must ensure that they implement more robust and, crucially, flexible security measures in the future to mitigate such breaches and protect highly sensitive data.”